Alguien puede resumirlo y si es grave? Es que ahora no tengo tiempo de leer todo
… edit…
Según quien ha detectado la vulnerabilidad:
The ledger device exposes bitcoin (mainnet) public key and signing functionality outside of the “Bitcoin” app. It presents misleading transaction confirmation requests indicating the selected app’s addresses and amounts when in fact different transactions are being signed.
It was discovered that for Bitcoin and Bitcoin forks, the device exposes it’s functions for any of the assets. In other words, having unlocked the Litecoin app, you will receive a confirmation request for a Bitcoin transfer while the interface presents it as a transfer of Litecoins to a Litecoin address. Accepting the confirmation produces a fully valid signed Bitcoin (mainnet) transaction .
Solución:
Avoid using altcoin apps until fixes are available
Segun Ledger:
The Ledger Nano S and Nano X are Hierarchical Deterministic (HD) wallets, meaning that they can derive different cryptographic secrets from a single seed. As written in the Threat Model, apps can derive keys on their own HD path only, which ensures that cryptocurrency apps cannot use keys from each other. For instance, the Zcoin app cannot derive keys on the Dogecoin derivation path ( m/44'/3'/
), since its own derivation path is m/44'/128'/
.
This path restriction was not enforced for the Bitcoin app and most of its derivatives, allowing a Bitcoin derivative (eg. Litecoin) to derive public keys or sign Bitcoin transactions.
Solución:
We had to make a choice between security and usability, wanting to avoid a situation where user funds would be locked and users unable to spend their funds anymore. We thus chose to enforce a path lock in the Bitcoin app itself. If a Bitcoin derivative app tries to perform a derivation on an unusual path, a warning is displayed to the user.
In order to allow users to continue to use their Ledger Nano S/X seamlessly with any third party software wallet, this fix doesn’t enforce this verification from the OS though, which means that the --path
parameter is still empty. We might add an exhaustive path list in the future if we are sure it doesn’t break any other wallets.
Si no he entendido mal, las apps dentro de ledger comparten en algunos casos (en bitcoin, forks y derivados) información del path que genera la semilla (esto seguro que lo expreso mal, disculpadme) que puede usarse para que por ejemplo, pensando que estás haciendo una transacción de Bitcoin Cash, la estés haciendo de Bitcoin y te saquen los satoshis.
La solución según Ledger, que no sé si ya está implementada, es que te salte un aviso, ya que el sistema que utilizan indican que es el adecuado para que haya compatibilidad entre otros software wallets que puedan interactuar con Ledger.
Si alguien matiza o aclara algo estaré encantado de corregirlo